Contents

# frozen_string_literal: true

module DuodealerApp
  module WebhookVerification
    extend ActiveSupport::Concern

    included do
      skip_before_action :verify_authenticity_token, raise: false
      before_action :verify_request
    end

    private
      def verify_request
        data = request.raw_post
        return head :unauthorized unless hmac_valid?(data)
      end

      def hmac_valid?(data)
        secrets = [DuodealerApp.configuration.secret, DuodealerApp.configuration.old_secret].reject(&:blank?)

        secrets.any? do |secret|
          digest = OpenSSL::Digest.new("sha256")

          ActiveSupport::SecurityUtils.secure_compare(
            duodealer_hmac,
            Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, data))
          )
        end
      end

      def account_domain
        request.headers["HTTP_X_DUODEALER_ACCOUNT_DOMAIN"]
      end

      def duodealer_hmac
        request.headers["HTTP_X_DUODEALER_HMAC_SHA256"]
      end
  end
end

Version data entries

4 entries across 4 versions & 1 rubygems

Version	Path
duodealer_app-1.0.4	lib/duodealer_app/controller_concerns/webhook_verification.rb
duodealer_app-1.0.3	lib/duodealer_app/controller_concerns/webhook_verification.rb
duodealer_app-1.0.2	lib/duodealer_app/controller_concerns/webhook_verification.rb
duodealer_app-1.0.1	lib/duodealer_app/controller_concerns/webhook_verification.rb